Initiative Would Define Infosec Occupations

The Office of Personnel Management is leading an initiative to better define the roles of cybersecurity professionals in order to help federal departments and agencies recruit and retain IT security experts.

A major problem the federal government faces in attracting and keeping cybersecurity experts is a lack of occupational classifications for information security professionals. But with the need to recruit thousands of cybersecurity professionals to the federal service, Office of Personnel Management Director John Berry deemed as a high priority the development of competency models that would lead to IT security occupational classifications.

In a memo Thursday to departmental and agency chief human capital officers, Berry unveiled the OPM initiative to develop competency models that would identify critical elements of a cybersecurity workforce throughout the federal government.

"Because cybersecurity work is performed in many different positions and places throughout the federal government, it is not easy to identify them by looking solely at job titles or organization charts," Berry wrote in the memo.

Berry is asking the chief human capital officers to provide his office by Jan. 15 documents that describe IT security positions, vacancy announcements, crediting plans, training plans, performance management plans and any studies or competency models of cybersecurity work in their departments or agencies, as well as information about agency recruitment efforts, challenges and outcomes.

OPM is partnering with the National Security Council Interagency Policy Committee Working Group on the competency model development process. Because of the many types of cybersecurity work, OPM will develop competency models using categories outlined by the NSC working group. They include:

IT Infrastructure, Operations, Maintenance and Information Assurance: Personnel who have significant responsibilities for designing, developing, operating or maintaining the security of federal IT infrastructures, systems, applications and networks. This model includes individuals who have responsibility for maintaining the confidentiality, integrity and availability of the information contained in and transmitted from those systems and networks.

Domestic Law Enforcement and Counterintelligence: Personnel who analyze cyber events and environments to investigate potential threats and individuals who participate in law enforcement, counterintelligence and other types of investigatory activities involving IT systems, networks and/or digital information/evidence.

Specialized Cybersecurity Operations: Personnel employed by departments and agencies that are engaged in highly specialized and largely classified cybersecurity operations focused on collection, exploitation and response.

By late spring, Berry said he hopes have subject matter experts review draft task and competency lists.

Recruiting cybersecurity experts has been a long-time challenge for federal recruiters, one highlighted in a report issued this summer by the not-for-profit Partnership for Public Service and the management consultancy firm Booz Allen Hamilton, which said the lack of occupational classification for IT security hampers recruiting and retention efforts.

"How are classified impacts managers' ability to bring in people with the right skills, but government is operating with an outdated and often vague job classification scheme for information security," the report states. "One of government's computer science job categories was last updated in 1988, before the Internet was even invented. In addition, there are no uniform governmentwide certification standards for specific jobs categories, no federal career path for cybersecurity specialists, insufficient specialized training for workers to upgrade skills and salary caps that lag the private sector."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.